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Abstract. We describe the AMBER tool for proving and refuting the 
termination of a class of probabilistic while-programs with polynomial 
arithmetic, in a fully automated manner. AMBER combines martingale 
theory with properties of asymptotic bounding functions and imple- 
ments relaxed versions of existing probabilistic termination proof rules 
to prove/disprove (positive) almost sure termination of probabilistic 
loops. AMBER supports programs parameterized by symbolic constants 
and drawing from common probability distributions. Our experimental 
comparisons give practical evidence of AMBER outperforming existing 
state-of-the-art tools. 
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1 Introduction 


Probabilistic programming obviates the need to manually provide inference 
methods and enables rapid prototyping [13]. Automated formal verification of 
probabilistic programs, however, is still in its infancy. Our tool AMBER pro- 
vides a step towards solving this problem when it comes to automating the 
termination analysis of probabilistic programs, which is an active research topic 
[11,6,12,7,1,9,16,14,10]. Probabilistic programs are almost-surely terminating 
(AST) if they terminate with probability 1 on all inputs. They are positively 
AST (PAST) if their expected runtime is finite [5]. We describe AMBER, a fully 
automated software artifact to prove/disprove (P)AST. Proving (P)AST is a 
notoriously difficult problem; in fact it is harder than proving traditional pro- 
gram termination [15]. AMBER supports the analysis of a class of polynomial 
probabilistic programs. Programs in the supported class consist of single loops 
whose body is a sequence of random assignments with acyclic variable dependen- 
cies. Moreover, AMBER’s programming model supports programs parametrized 
by symbolic constants and drawing from common probability distributions. To 
automate termination analysis, AMBER automates relaxations of various existing 
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bop € {+,—,*,**, /}, cop € {>, <} 
dist € {uniform, gauss, laplace, bernoulli, binomial, geometric, hypergeometric, exponential, beta, 
chi-squared, rayleigh} 


(program) ::= (i_assign)* while (poly) (cop) (poly): (ru_assign)* (v_assign)* 

(i_ assign) ::= (var) = (const) | (var) = (rv_ expr) (ru_ assign) ::= (var) = (rvu_ expr) 
(v_ assign) ::= (var) = (branches) (rv_ expr) := RV((dist) |, (const)]*) 

(branches) ::= (poly) | (poly) @ (const); (branches) 

(poly) := pe C[V] (sym) ::= [a-zA-Z][a-zA-Z0-9]* (var) V ::= [a-zA-Z][a-zA-Z0-9]* 
(const) C ::= n EN | (sym) | - (const) | (const) (bop) (const) 


Fig. 1: The AMBER input syntax. C[V] denotes the set of polynomials in V (program 
variables) with coefficients from C (constants). The power operator is ‘**’. 


martingale-based proof rules ensuring (non-)(P)AST [8] and combines symbolic 
computation with asymptotic bounding functions. AMBER certifies (non-)(P)AST 
without relying on user-provided templates/bounds over termination conditions. 
Our experiments demonstrate AMBER outperforming the state-of-the-art in the 
automated termination analysis of probabilistic programs (Section 3). 


Related work. The tools MGen [6] and LexRSM [1] use linear programming tech- 
niques to certify PAST and AST, respectively. The recent tools Absynth [20], 
KoAT2 [18] and ecoimp [2] can establish upper bounds on expected costs, therefore 
also on expected runtimes, and thus certify PAST. While powerful on respective 
AST/PAST domains, we note that none of the aforementioned tools support 
both proving and disproving (P)AST. AMBER is the first tool able to prove and 
disprove (P)AST. Our recent work introduces relaxations of existing proof rules 
for probabilistic (non-)termination together with automation techniques based 
on asymptotic bounding functions [19]. We utilize these proof rule relaxations in 
AMBER and extend the technique of asymptotic bounding functions to programs 
drawing from common probability distributions and including symbolic constants. 


Contributions. This tool demonstration paper describes what AMBER can do 
and how it can be used for certifying (non-)(P)AST. 


— We present AMBER, a fully automatic open-source software artifact? for 
certifying probabilistic (non-)termination (Section 2). 


— We exhaustively compare AMBER to related tools and report on our experi- 
mental findings (Section 3). 


— We provide a benchmark suite of 50 probabilistic programs as a publicly 
available repository of probabilistic program examples (Section 3). 
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x = RV(gauss, 0, 1) 

y = RV(gauss, 0, 1) 

while x**2+y**2 < c: 
s = RV(uniform, 1, 2) (b) 

= RV(gauss, O, 1) 

xts @1/2; x+2*s 

ytxt+t**2 @1/2; y-x-t**2 


2 while x > 0: 
3 x = xtc @1/2; x-c 


2 while x > 0: 
x = xtc @1/2+e; x-c 


(a) (c) 


XN QO a A U NY FB 


t 
x 
y 


Fig. 2: Two programs supported by AMBER, with symbolic constants c, z0,e € R*; 
Program 2a is PAST, program 2b is AST but not PAST and program 2c is not AST. 


2 Usage and Components 


Programming Model. AMBER supports analyzing the probabilistic termination 
behavior of a class of probabilistic programs involving polynomial arithmetic 
and drawing from common probability distributions, parameterized by symbolic 
constants which represent arbitrary real numbers. All symbolic constants are 
assumed to be positive. Negative constants can be modeled with the explicit use of 
“>, The grammar in Figure 1 defines the input programs to AMBER. Inputs consist 
of an initialization part and a while-loop, whose guard is a polynomial inequality 
over program variables. The initialization part is a sequence of assignments either 
assigning (symbolic) constants or values drawn from probability distributions. 
Within the loop body, program variables are updated with either (i) a value drawn 
from a distribution or (ii) one of multiple polynomials over program variables with 
some probability. Additional to the structure imposed by the grammar in Figure 1, 
input programs are required to satisfy the following structural constraint: each 
variable updated in the loop body depends at most linearly on itself and at most 
polynomially on variables preceding. On a high-level, this constraint enables the 
use of algebraic recurrence techniques for probabilistic termination analysis [19]. 
Despite the syntactical restrictions, most existing benchmarks on automated 
probabilistic termination analysis [19] and dynamic Bayesian networks [3] can be 
encoded in our programming language. Figure 2 shows three example programs for 
which AMBER is able to automatically infer the respective termination behavior. 


Implementation and Usage. AMBER is implemented in python3 and relies 
on the lark-parser* package to parse its input programs. Further, AMBER 
uses the diofant package as its computer-algebra system. To compute closed- 
form expressions for statistical moments of monomials over program variables 
only depending on the loop counter, AMBER uses the tool Mora [4]. However, 
for efficient integration within AMBER, we reimplemented and adapted the 
Mora functionalities exploited by AMBER (Mora v2), in particular by employing 
dynamic programming to avoid redundant computations. Altogether, AMBER 
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consists of ~ 2000 lines of code. Figure 3 shows AMBER’s output when run on the 
program from Figure 2a. AMBER can be used through a Docker container [17] 
or installed locally. Detailed installation and usage instructions are available at 
https://github.com/probing-lab/amber. 


Run with Docker. AMBER can be used through a Docker container [17] by 
running: $ docker run -ti marcelmoosbrugger/amber 

AMBER can be run on our 2d_bounded_random_walk benchmark with: 

$ ./amber benchmarks/past/2d_bounded_random_walk 


Terminal 


Martingale expression: -x**2 - 11*x - 115/6 
Computing bounds for x**2 

Computing bounds for 1 

Computing bounds for x 


C - X**#2 - yaa? 
SM expression -X**2 - 11*x - 115/6 
SM expression bound -c20*n**2 


Explanation: 
Eventually, 'c - x**2 - y**2' is a ranking supermartingale. That's because eventually 
the bound of the supermartingale expression is '-c20*n**2'. 


Computation time: 3.6706s 
(.venv) 


Fig. 3: The output of AMBER when run on the program from Figure 2a. 


Local installation. First, clone the repository by running the following command 
in your terminal: $ git clone git@github.com:probing-lab/amber. git 
Change directories to AMBER’s root folder and make sure python3.8 and the 
package manager pip are installed on your system. All required python packages 
can be installed by running $ pip install -r requirements.txt 

Create an input program (see Section 2) and save it in the benchmarks folder for 
example with the file name my-benchmark. AMBER can now be run with respect 
to the input program benchmarks/my-benchmark with the following command: 
$ python ./amber.py --benchmarks benchmarks/my-benchmark 


Components. Figure 4 illustrates AMBER’s main components. AMBER uses four 
existing probabilistic termination proof rules [6,12,16,9] and their relaxations [19]. 
Additionally, AMBER extends the algorithms for these relaxations to further 
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Input 
Program 


— Probabilistic Termination Proof Rules - 


Choose & Run 
Rule 


Rule Rule Rule Rule 


] 
| 
Initial State Ranking SM | | Repulsing SM | | Supermartingale | 
| 
l 


Rule out Rule, Asymptotic Bounds 


Witness r - Fundamentals = = — — == == ee 
| 
J | Monomial Bound Store Simplify, MORA v2 | 
Branches Domination | 
Output | 
(Termination | | 
Propert: ; i 
roperty) | Branch Store Asymptotics Invariance | 
| 
| d 


Fig. 4: Main components of AMBER and interactions between them. 


support drawing from common probability distributions and symbolic constants 
(cf. Figure 1). After parsing the input program, AMBER initializes the four proof 
rule relaxations and determines their applicability [19]. AMBER then executes 
applicable proof rules consecutively and reports the analysis result containing 
potential witnesses for (non-)(P)AST. The proof rule algorithms require the 
computation of asymptotic bounding functions which is implemented in the 
Bound Store component. 


3 Evaluation 


Experimental Setup. AMBER and our benchmarks, are publicly available at 
https://github.com/probing-lab/amber. The output of AMBER is an answer 
(“Yes’’, “No” or “Maybe’’) to PAST and AST, together with a potential witness. 
We took all 39 benchmarks from [19] and extended them by 11 new programs to 
test AMBER’s capability to handle symbolic constants and drawing from proba- 
bility distributions. The 11 new benchmarks are constructed from the 39 original 
programs, by adding noise drawn from common probability distributions and 
replacing concrete constants with symbolic ones. As such, we conduct experiments 
using a total of 50 challenging benchmarks, involving polynomial arithmetic, 
probability distributions and symbolic constants. Further, we compare AMBER 
not only against Absynth and MGen (as in [19]), but also evaluate AMBER in 
comparison to the recent tools LexRSM [1], KoAT2 [18] and ecoimp [2]. Note that 
MGen can only certify PAST and LexRSM only AST. Moreover, the tools Absynth, 
KoAT2 and ecoimp mainly aim to find upper bounds on expected costs. Tables 1-3 
summarize our experimental results, with benchmarks separated into PAST 
(Table 1), AST but not PAST (Table 2), and not AST (Table 3). Benchmarks 
marked with * are part of our 11 new examples. In every table, “ (X) marks a 
tool (not) being able to certify the respective termination property. Moreover, NA 
symbolizes that a benchmark is out-of-scope for a tool, for instance, due to not 
supporting some distributions or polynomial arithmetic. All benchmarks have 
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2d_bounded_random_walk / X NANAX x - = =PaSt C ee ie 
Pan = = Ea = a linear_past_ 2 Y xX NA X X X 
biased_random_walk_const¥ V JV Vv y E i e — nS Beas ae m 
ae E 5 aa = T 5 ted_1 NA ¥ vvv 
biased_random_walk_exp YK 4 KKK TEE = ERPS a aoe x S: ù 
aa P = al a = - polynomial past 1 ¥Y X NANA X X 
biased_random_walk_poly ⁄ X X NAX X -=--> E enS: ae = 
ORE a = S T = Š l ial t 2 v NAN 
binomial_ past (rn rn An Aan a POR nice = La a Ee x = 
nie Wane = = = - in -7 sequential loops NAY X ¥ vv 
complex _ past ¥Y X NANAX X =-= Shee re Ua 7 
DERN = = RFE z = tortoi h race viv fF of 
consecutive bernoulli_trails/¥ V V Vv vy vy DENISE BATE FRe 
coupon_collector_ 4 VX VO AAV dependent dist* NANA NANA X Vv 
coupon _collector_5 YK ST AVA VS exp_rw_gauss_noise* ⁄ NA NA NA NA NA 
dueling cowboys a ee ee a ae gemoetric_gaussian* v NA NA NA NANA 
exponential past_1 Z NANANA XNA race_uniform_noise®’ / X s4 4 XK V¥ 
exponential _past_2 Y NA NANA X NA | symb_2d_rw* ¥Y X NANA X X 
geometric VAS 4S VAIS uniform _rw_walk* Yan ee” mee ae Aas 
paisa alas eS. ey 23 9 11 12 11 13 


Table 1: 27 programs which are PAST. 


been run on a machine with a 2.6 GHz Intel i7 (Gen 10) processor and 32 GB 
of RAM and finished within a timeout of 50 seconds, where most experiments 
terminated within a few seconds. 


Experimental Analysis. AMBER successfully certifies 23 out of the 27 PAST 
benchmarks (Table 1). Although Absynth, KoAT2 and ecosimp can find expected 
cost upper bounds for large programs [20,18,2], they struggle on small programs 
whose termination is not known a priori. For instance, they struggle when a 
benchmark probabilistically “chooses” between two polynomials working against 
each other (one moving the program state away from a termination criterion and 
one towards it). Our experiments show that AMBER handles such cases success- 
fully. MGen supports the continuous uniform distribution and KoAT2 the geometric 
distribution whose support is infinite. With these two exceptions, AMBER is 
the only tool supporting continuous distributions and distributions with infinite 
support. To the best of our knowledge, AMBER is the first tool certifying PAST 
supporting both discrete and continuous distributions as well as distributions with 
finite and infinite support. AMBER successfully certifies 12 benchmarks to be AST 
which are not PAST (Table 2). Whereas the LexRSM tool can certify non-PAST 
programs to be AST, such programs need to contain subprograms which are 
PAST [1]. The well-known example of symmetric_1D_random_walk, contained 
in our benchmarks, does not have a PAST subprogram. Therefore, the LexRSM 
tool cannot establish AST for it. In contrast, AMBER using the Supermartingale 


The Probabilistic Termination Tool Amber 7 


a & 

Oo e 

2 3 
Program toa 
fair in limit random walk NA NA 
gambling / KX Program AMBER 
Pyne 2d -Tandon Walk 5 DA biased_random_walk_nast_ 1 v 
symmetric random. walk. constant l £ š biased_random walk _nast_2 v 
symmetric random Walk erase a 4 biased_random_walk_nast_ 3 v 
Symmetric fandom. Walk. exp il A 3 biased_random walk nast_4 v 
Synimetric: Penden “walk op? 4 NA binomial _nast v 
symmetric random_walk_linear_ 1 v KX was aani = an + 
eee a= eae pe = m polynomial _ nast X 
symmetric_random_walk_linear_2 v X 
fee ae Se a eS a i h v 
symmetric_random_walk_poly_1 y NA Pinomi a aoe PRE Ss 
EAE A E E aa Ge = rea a = * 
symmetric random walk poly 2 y NA Symp Mast ld TW = = e 

hypergeo _nast* v 
gaussian_rw__walk* y NA 
laplacian_noise* v NA Total / 8 
symb ld rw* J NA Í 
Mt Table 3: 9 programs which are not AST. 

Total ⁄ 12 0 


Table 2: 14 programs which are AST 
and not necessarily PAST. 


Rule can handle these programs. To the best of our knowledge, AMBER is the 
first tool capable of certifying non-AST for polynomial probabilistic programs 
involving drawing from distributions and symbolic constants. AMBER is also the 
first tool automating (non-)AST and (non-)PAST analysis in a unifying manner. 


Experimental Summary. Tables 1-3 demonstrate that (i) AMBER outper- 
forms the state-of-the-art in certifying (P)AST, and (ii) AMBER determines 
(non-)(P)AST for programs with various distributions and symbolic constants. 


4 Conclusion 


We described AMBER, an open-source tool for analyzing the termination behavior 
for polynomial probabilistic programs, in a fully automatic way. AMBER computes 
asymptotic bounding functions and martingale expressions and is the first tool to 
prove and disprove (P)AST in a unifying manner. AMBER can analyze continuous, 
discrete, finitely- and infinitely supported distributions in polynomial probabilistic 
programs parameterized by symbolic constants. Our experimental comparisons 
give practical evidence that AMBER can (dis)prove (P)AST for a substantially 
larger class of programs than state-of-the-art tools. 
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